- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Combating the Lazy User: An Examination of Various Password Policies and Guidelines
- Abstract
- A variety of password policies and guidelines are publicly available on the Internet. Most of them establish a set of rules which are either required or recommended for the user to follow when creating a password. Such rules include, but are not limited to, specifications for the length of the password, the character set(s) to be used, and whether or not dictionary words are allowed in the password. (A complete password policy also discusses many additional topics, such as how often passwords must be changed, but those additional aspects of password policies are not the subject of this paper.) This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. Such passwords may provide a relatively easy method of attack using custom dictionaries and readily available password cracking tools. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.